<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.26.2">
</HEAD>
<BODY>
Hi Paul,<BR>
<BR>
Sorry for long time. <BR>
Well asking your questions: <BR>
<BR>
> Any reason why to change these lifetimes from the default?<BR>
Yes, by definition of checkpint administrator.<BR>
<BR>
> You are using netkey?<BR>
Well, when I do emerge openswan on my gentoo linux. That software is compiled with netkey activated. I don't know why.<BR>
<BR>
> Seems that connection came up fine.<BR>
Yes, but I can't use the services of the other side.<BR>
<BR>
Anyway, the log without plutodebug:<BR>
<BR>
<BR>
ipsec_setup: Starting Openswan IPsec U2.6.21/K2.6.29-gentoo-r1... <BR>
ipsec_setup: multiple ip addresses, using 200.xxx.xxx.234 on eth0 <BR>
ipsec_setup: Warning: ignored obsolete keyword (null) [ ok ]<BR>
Jul 15 13:11:12 firewall pluto[29165]: | exchange type: ISAKMP_XCHG_INFO<BR>
Jul 15 13:11:12 firewall pluto[29165]: | flags: ISAKMP_FLAG_ENCRYPTION<BR>
Jul 15 13:11:12 firewall pluto[29165]: | message ID: 53 8d de c6<BR>
Jul 15 13:11:12 firewall pluto[29165]: | ***emit ISAKMP Hash Payload:<BR>
Jul 15 13:11:12 firewall pluto[29165]: | next payload type: ISAKMP_NEXT_D<BR>
Jul 15 13:11:12 firewall pluto[29165]: | emitting 20 zero bytes of HASH(1) into ISAKMP Hash Payload<BR>
Jul 15 13:11:12 firewall pluto[29165]: | emitting length of ISAKMP Hash Payload: 24<BR>
Jul 15 13:11:12 firewall pluto[29165]: | ***emit ISAKMP Delete Payload:<BR>
Jul 15 13:11:12 firewall pluto[29165]: | next payload type: ISAKMP_NEXT_NONE<BR>
Jul 15 13:11:12 firewall pluto[29165]: | DOI: ISAKMP_DOI_IPSEC<BR>
Jul 15 13:11:12 firewall pluto[29165]: | protocol ID: 1<BR>
Jul 15 13:11:12 firewall pluto[29165]: | SPI size: 16<BR>
Jul 15 13:11:12 firewall pluto[29165]: | number of SPIs: 1<BR>
Jul 15 13:11:12 firewall pluto[29165]: | emitting 16 raw bytes of delete payload into ISAKMP Delete Payload<BR>
Jul 15 13:11:12 firewall pluto[29165]: | delete payload 0a 30 cf d7 a3 4b a3 9e 23 a8 e1 71 6f ae 4b 83<BR>
Jul 15 13:11:12 firewall pluto[29165]: | emitting length of ISAKMP Delete Payload: 28<BR>
Jul 15 13:11:12 firewall pluto[29165]: | HASH(1) computed:<BR>
Jul 15 13:11:12 firewall pluto[29165]: | 93 91 19 83 31 69 49 de dc c7 c2 6d 77 75 ee ce<BR>
Jul 15 13:11:12 firewall pluto[29165]: | 91 4f 33 13<BR>
Jul 15 13:11:12 firewall pluto[29165]: | last Phase 1 IV: b3 73 e6 6b 56 3d 01 2d ad 9c 6f 69 d6 8b 25 92<BR>
Jul 15 13:11:12 firewall pluto[29165]: | current Phase 1 IV: b3 73 e6 6b 56 3d 01 2d ad 9c 6f 69 d6 8b 25 92<BR>
Jul 15 13:11:12 firewall pluto[29165]: | computed Phase 2 IV:<BR>
Jul 15 13:11:12 firewall pluto[29165]: | a2 dd 89 70 2b ed ae 48 16 8c ff 6a bd f0 06 d1<BR>
Jul 15 13:11:12 firewall pluto[29165]: | 12 ec 96 aa<BR>
Jul 15 13:11:12 firewall pluto[29165]: | encrypting:<BR>
Jul 15 13:11:12 firewall pluto[29165]: | 0c 00 00 18 93 91 19 83 31 69 49 de dc c7 c2 6d<BR>
Jul 15 13:11:12 firewall pluto[29165]: | 77 75 ee ce 91 4f 33 13 00 00 00 1c 00 00 00 01<BR>
Jul 15 13:11:12 firewall pluto[29165]: | 01 10 00 01 0a 30 cf d7 a3 4b a3 9e 23 a8 e1 71<BR>
Jul 15 13:11:12 firewall pluto[29165]: | 6f ae 4b 83<BR>
Jul 15 13:11:12 firewall pluto[29165]: | IV:<BR>
Jul 15 13:11:12 firewall pluto[29165]: | a2 dd 89 70 2b ed ae 48 16 8c ff 6a bd f0 06 d1<BR>
Jul 15 13:11:12 firewall pluto[29165]: | 12 ec 96 aa<BR>
Jul 15 13:11:12 firewall pluto[29165]: | unpadded size is: 52<BR>
Jul 15 13:11:12 firewall pluto[29165]: | emitting 12 zero bytes of encryption padding into ISAKMP Message<BR>
Jul 15 13:11:12 firewall pluto[29165]: | encrypting 64 using OAKLEY_AES_CBC<BR>
Jul 15 13:11:12 firewall pluto[29165]: | next IV: d5 1f d7 fb 87 4b 11 55 c4 ac c9 5f cb da b7 29<BR>
Jul 15 13:11:12 firewall pluto[29165]: | emitting length of ISAKMP Message: 92<BR>
Jul 15 13:11:12 firewall pluto[29165]: | sending 92 bytes for delete notify through eth0:500 to 201.xxx.xxx.20:500 (using #9690)<BR>
Jul 15 13:11:12 firewall pluto[29165]: | 0a 30 cf d7 a3 4b a3 9e 23 a8 e1 71 6f ae 4b 83<BR>
Jul 15 13:11:12 firewall pluto[29165]: | 08 10 05 01 53 8d de c6 00 00 00 5c 2b 79 53 d1<BR>
Jul 15 13:11:12 firewall pluto[29165]: | 4e d3 13 db 72 60 07 d6 d7 e5 5b 40 0d 90 ce 67<BR>
Jul 15 13:11:12 firewall pluto[29165]: | 8c 95 b8 b6 d7 a6 ae 33 f7 6f 58 ef 64 1d ae be<BR>
Jul 15 13:11:12 firewall pluto[29165]: | 20 d8 ef 40 31 ae 98 5d f7 2c fa a5 d5 1f d7 fb<BR>
Jul 15 13:11:12 firewall pluto[29165]: | 87 4b 11 55 c4 ac c9 5f cb da b7 29<BR>
Jul 15 13:11:12 firewall pluto[29165]: | deleting event for #9690<BR>
Jul 15 13:11:12 firewall pluto[29165]: | no suspended cryptographic state for 9690<BR>
Jul 15 13:11:12 firewall pluto[29165]: | ICOOKIE: 0a 30 cf d7 a3 4b a3 9e<BR>
Jul 15 13:11:12 firewall pluto[29165]: | RCOOKIE: 23 a8 e1 71 6f ae 4b 83<BR>
Jul 15 13:11:12 firewall pluto[29165]: | state hash entry 21<BR>
Jul 15 13:11:12 firewall pluto[29165]: | next event EVENT_RETRANSMIT in 30 seconds for #9711<BR>
<BR>
<TABLE CELLSPACING="0" CELLPADDING="0" WIDTH="100%">
<TR>
<TD>
<BR>
<IMG SRC="file://C:%5Cuser%5Cgilcesar%5Cpessoal%5Cblackpoint.gif" WIDTH="100%" HEIGHT="1" ALIGN="bottom" BORDER="0"><BR>
<TABLE CELLSPACING="0" WIDTH="100%">
<TR>
<TD ALIGN="left">
<B><I>William Ferraz</I></B>
</TD>
<TD ALIGN="right">
<DIV ALIGN=right><IMG SRC="cid:1247674262.5167.27.camel@Malfoy" ALIGN="bottom" BORDER="0"></DIV>
</TD>
</TR>
<TR>
<TD ALIGN="left" VALIGN="top">
<U><A HREF="mailto:gil.cesar@inmetrics.com.br">williamferraz@inmetrics.com.br</A></U> <BR>
+55-11-3555-6825 <BR>
+55-11-9493-3475 <BR>
<IMG SRC="cid:1247674262.5167.28.camel@Malfoy" ALIGN="bottom" BORDER="0"><BR>
<BR>
<BR>
<BR>
</TD>
<TD ALIGN="right" VALIGN="top">
<U><A HREF="http://www.inmetrics.com.br/">http://www.inmetrics.com.br</A></U> <BR>
<DIV ALIGN=right> </DIV>
<DIV ALIGN=right>Avenida Guido Caloi, 1000 - bloco 4 - 4 andar</DIV>
<BR>
Condomínio Panamérica Park<BR>
05802-140 – São Paulo – SP – Brasil
</TD>
</TR>
</TABLE>
</TD>
</TR>
</TABLE>
<BR>
<BR>
On Mon, 2009-07-06 at 11:38 -0400, Paul Wouters wrote:
<BLOCKQUOTE TYPE=CITE>
<PRE>
On Mon, 6 Jul 2009, William Ferraz wrote:
> I need some help to connect my firewall with gentoo-linux and openswan to
> Check Point NGX R62.
> firewall ~ # ipsec look
Note ipsec look does not work when using netkey.
> # basic configuration
> config setup
> interfaces="%defaultroute"
>
> # plutodebug / klipsdebug = "all", "none" or a combation from below:
> #
> # "raw crypt parsing emitting control klips pfkey natt x509 private"
> # eg: plutodebug="control parsing"
> #
>
> klipsdebug="all"
> plutodebug="all"
> # ONLY enable plutodebug=all or klipsdebug=all if you are a developer !!
I guess I should have said "openswan developer" :P
> conn inm-net
> keyexchange=ike
> ike=aes256-sha1-modp1024
> aggrmode=no
> type=tunnel
> pfs=no
> ikelifetime=1440s
> keylife=3600s
Any reason why to change these lifetimes from the default?
> left=200.XXX.XXX.234
> leftnexthop=200.XXX.XXX.233
> leftsubnet=10.10.11.0/24
> leftupdown=/usr/lib/ipsec/_updown
leave out leftupdown= if you are using the default updown script.
> right=201.XXX.XXX.20
> rightnexthop=201.XXX.XXX.1
> rightsubnet=5.16.8.0/24
> auth=esp
> authby=secret
> esp=aes128-sha1
> auto=start
> 200.XXX.XXX.234 201.XXX.XXX.20 : PSK "<my secret are oculted>"
> Log:
> Jul 6 10:30:20 firewall pluto[11204]: "inm-net" #3: transition from
> state STATE_QUICK_I1 to state STATE_QUICK_I2
> Jul 6 10:30:20 firewall pluto[11204]: | deleting event for #3
> Jul 6 10:30:20 firewall pluto[11204]: | sending reply packet to
> 201.XXX.XXX.20:500 (from port 500)
> Jul 6 10:30:20 firewall pluto[11204]: | sending 60 bytes for
> STATE_QUICK_I1 through eth0:500 to 201.XXX.XXX.20:500 (using #3)
> Jul 6 10:30:20 firewall pluto[11204]: | ed 72 75 18 6a 9e fe 70 70
> b3 3a 30 a2 94 be 26
> Jul 6 10:30:20 firewall pluto[11204]: | 08 10 20 01 9d 07 bd 62 00
> 00 00 3c 3d 95 1a 89
This is why you should not enable all debug. Please show a log without
specifying plutodebug=
> Jul 6 10:30:20 firewall pluto[11204]: "inm-net" #3: STATE_QUICK_I2: sent
> QI2, IPsec SA established tunnel mode {ESP=>0x42b8a16c <0x5bfeed6b
> xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Seems that connection came up fine.
> My interface ipsec0 don't start and I don't connect to any service on the
> other network.
You are using netkey? Then there are no ipsecX interfaces.
Paul
</PRE>
</BLOCKQUOTE>
</BODY>
</HTML>